If there’s an unexploited niche caused by insecure software or behaviour then sooner or later a crook is going to wiggle into it and attempt to use it as a way to make money from someone else’s misery.

Sophos has recently uncovered a new ecological niche in the great internet hack-o-sphere that’s equal parts low-cunning and directness: crooks who are breaking into computers one at a time and running ransomware on them manually – clickety click – in the same way that you might run Word, Notepad or Solitaire.

Let me do that!

We normally think of ransomware as something that’s catapulted into victims’ computers using some form of mass distribution.

For example, the criminals behind WannaCry and NotPetya used a stolen NSA exploit to create worms that copied themselves from one computer to another, encrypting files, demanding ransoms and creating mayhem as they zig-zagged through and between networks.

Phishing is a numbers game: most of your emails won’t get through, many of those that do will go unread, and even those that get opened may find themselves hitting a brick wall – a patched system, for example, or a user who realises that something phishy is going on and stops just short of getting infected.

The phishing crooks only make money if they can repeatedly find new ways to persuade users to open emails and do things their IT team have warned them about, such as saving attachments to disk and then launching them, or opening Office documents and deliberately enabling macros.

For this reason, some cybercriminals have decided that if you want something doing properly, you have to do it yourself.

The attack

Many companies, notably small businesses, outsource their IT to, or pay for lots of help from, outside contractors.

These contractors might live in another part of town, or elsewhere in the country, or even on the other side of the world.

To let remote sysadmins look after your Windows networks, the most widely-used tool is Microsoft’s own Remote Desktop Protocol, or RDP for short.

RDP, for those who haven’t used it, effectively turns your IT guy’s laptop into a remote screen, keyboard and mouse connected over the internet to your local computer.

When they move their mouse in the RDP client software far away, they’re controlling your computer; when a software dialog pops up, they see it on their remote computer.

RDP is like being right there, and allows remote use even of fully-graphical applications that can’t be scripted or operated via a command prompt.

In other words, the RDP password you’ve chosen for your remote sysadmin (or that you’ve let them choose for themselves) is essentially the key to your office – a weak password is like a server room door that’s propped open, inviting any passing snooper to take a look inside.

So, if the crooks notice that you’ve got RDP open to the internet, for example by using a network search engine such as Shodan, you can be sure they’ll take a poke around.

Sophos security experts who’ve investigated a spate of recent RDP attacks have frequently found evidence that a tool called NLBrute was used to try a whole range of RDP passwords – a so-called brute force attack – in the hope of sneaking in.

Once they’ve got your RDP password – whether they use NLBrute, or simply look you up on Facebook to find your birthday and your pet’s name – they’ll logon and immediately create various brand new administrative accounts.

That way, even if you get rid of the crooks and change your own admin password, they’ve already got backup accounts they can use to sneak back in later.

What next?

Once they’re in, here’s what you can expect to happen next, based on what we’ve seen in a number of attacks we’ve investigated:

The crooks download and install low-level system tweaking software, such as the popular Process Hacker tool.

Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery, especially if they use kernel drivers to let you to pull off modifications that the operating system usually prevents. This includes: killing off processes that usually disallow shutdown, deleting locked files, and changing configuration settings that are usually locked down.

The crooks turn off or reconfigure anti-malware software, using the newly-installed tweaking tools.

The crooks go after the passwords of administrator accounts so that they’ll enjoy all the power of a legitimate sysadmin. If they can’t get an admin password, they may try logging in as a regular user and running hacking tools that try to exploit unpatched vulnerabilities to get what’s called EoP, or elevation of privilege.

EoP means that already logged-on users can sneakily promote themselves to more powerful accounts to boost their powers. We’ve seen EoP tools left behind on attacked systems that tried to abuse vulnerabilities dubbed CVE-2017-0213 and CVE-2016-0099, patched by Microsoft back in May 2017 and March 2016 respectively.

The crooks turn off database services (e.g. SQL) so that vital database files can be attacked by malware.

Files such as SQL databases are usually locked while the database server software is active, as a precaution against corruption that could be caused by concurrent access by another program. The side-effect of this is that malware can’t get direct access to database files either, and therefore can’t scramble them to hold them to ransom.

The crooks turn off Volume Shadow Copy (the Windows live backup service) and delete any existing backup files.

Shadow copies act as real-time, online backups that can make recovery from ransomware a quick and easy process. That’s why crooks often go looking for shadow copies first to remove them.

You can guess what happens next.

The crooks upload and run ransomware of their choice.

Because they’ve used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet “for free”.

The crooks don’t have to worry about using the latest and greatest malware, or setting up a command-and-control server, or running a hit-and-hope spam campaign.

In one attack, we saw a folder on the desktop containing four different types of ransomware. The crooks ran each in turn, until one of them worked.

How much is the ransom?

Many ransomware attacks are distributed indiscriminately, and therefore rely on a “pay page” – a Dark Web server set up specially to tell victims how much to pay, and how to pay it.

But these RDP crooks are already personally involved to the extent of logging into your network themselves, so there’s often what you might call a “personal touch”.

Rather than automatically squeezing you via a website, you’ll probably see a pop-up something like this, telling you to make contact via email to “negotiate” the release of your data:

At the time of writing the Bitcoin address used by that attacker contained BTC 9.62, currently worth just over $60,000.

Only one of the transactions matched the 1BTC amount demanded in the ransom, which might indicate that the account is being used for other activities at the same time, or that some victims managed to negotiate a lower price.

The victims

The victims of this kind of attack are almost always small-to-medium companies: the largest business in our investigation had 120 staff, but most had 30 or fewer.

With small scale comes a dependence on external IT suppliers or “jack-of-all-trades” IT generalists trying to manage cybersecurity along with many other responsibilities.

In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff.

What to do?

If you don’t need RDP, make sure it’s turned off. Remember to check every computer on the network: RDP can be used to connect to servers, desktops and laptops.

Consider using a Virtual Private Network (VPN) for connections from outside your network. A VPN such as the one in Sophos XG Firewall and Sophos UTM requires outsiders to authenticate with the firewall first, and to connect from there to internal services. This means software such as RDP never needs to be exposed directly to the internet.

Use two-factor authentication (2FA) wherever you can.Sophos XG Firewall and Sophos UTM support 2FA, so that you need a one-time logon code every time. If crooks steal or guess your password, it’s no use on its own.

After an attack, check to see what the crooks have changed. Don’t just remove the malware or apply the missed patches and be done with it. Especially check for added applications, altered security settings, and newly-created user accounts.

Set a lockout policy to limit password guessing attacks. With three guesses at a time followed by a five-minute lockout, a crook can only try out 12 × 3 = 36 passwords an hour, which makes a brute force attack impractical.

If you’re using a third-party IT company and they haven’t already suggested the precautions we’ve listed above, why not ask them why, and ask yourself if they’re the right people to be looking after your network?

Be careful out there – don’t let the Remote Desktop Protocol for your IT team turn into a Ransomware Deployment Process for criminals.

Post navigation

About the author

Mark is the man who keeps the Naked Security site running. He is also a writer for Sophos, is the founder of independent web consultancy Compound Eye and he's interested in literally anything that makes websites better.

21 comments on “Ransomware-spreading hackers sneak in through RDP”

This article is erroneous in its statement of how RDP works — it doesn’t mirror a user session but rather allows a session to be redirected to a remote location. For desktop machines only one session can be in use at a time. This is distinct from VNC which does mirror the user’s session and allow a remote location to view what’s going on in a local session.

There are additional steps system administrators can take (e.g. configuring endpoints to only accept RDP connections from other domain machines, and enforcing the use of TLS encryption on RDP sessions).

Thanks for the additional steps. Note that the article does not talk about mirroring user sessions but ‘effectively’ mirroring aspects of a computer – its screen and keyboard. In other words (and perhaps I should have used other words to be clearer) it is a way of accessing a computer from somewhere it isn’t, as if it is.

I agree with Mark that our description was OK (but it’s a modified version of a plain English explanation I wrote about RDP a couple of years ago, so I may not be 100% objective there :-)

However, I get your point about our use of the word “mirror”, which implies that the remote operator would see exactly what any locally logged-on user was busy with at the time, as you’d experience with VNC. “Mirror” also implies that if you *were* logged in locally when the crooks broke in, you’d immediately notice the crook on your computer because your mouse would start moving of its own accord, and so on.

With that in mind, I reworded it slightly to avoid “mirror”. HtH. Thanks for the comment – see what you think now.

If you use RDP to connect to a desktop which has a user logged in already, isn’t the user kicked out of his session? So, you wouldn’t notice the mouse moving of its own accord but you’d noticed getting logged out.

No, you totally missed the point. As the rightful owner of your desktop, you should not need RDP to log on, why should you?
This is not a client-server logon, mind you.
Therefore, the statement that you’d notice mouse movement of how the crook is operating on your machine is just valid.
I hope you got it now.

Good article, but perhaps you guys “recently uncovered” this, but as for RDP brute force hacking to spread ransomware my company has been dealing with this for the better part of 3 years. It’s pretty easily defended against by using decent passwords, not standard usernames (no first names, etc.), and by having an account lockout policy.

We’ve seen RDP abuse for years, too, even before ransomware was a thing (there’s a link in the article to an RDP piece we ourselves published more than five years ago). But as far as I know, the past couple of months is the first period when we’ve had reports of this on a regular and apparently systematic basis, where we’re sure that RDP was the way in, and where the MO has shown up the sequence of operations we described.

On that basis, we figured that it was worth writing what would otherwise seem like a “Duh, well, obviously” article about not leaving a wide-open remote administration door into your organisation.

Your tips are excellent – though “using decent RDP passwords” might as well include 2FA these days.

Anyway, I take your point about us only writing about this now…but if you’ve been seeing exactly the same MO (and attack intensity) for nearly three years already…

…then it’s even more important to persaude people to do something about it, because we’re looking at a chronic problem, not an acute one :-(

Yep, didn’t mean to come off so pretentiously. It has indeed been a thorn in my side for quite some time however, but I do indeed appreciate the awareness you guys are spreading. In fact, I used this very article to finally convince a customer that was how they got their infection of ransomware, through RDP, and they FINALLY took my suggestions as I outlined in my first post. Since they did, and also with using an inexpensive 3rd party app, I’ve been able to show them exactly how frequently attempted attacks are being made against them. Thanks!

Lots of lazy IT guys open up 3389 through the firewall because they don’t know how to create a proper VPN connection. We’ve seen people change the RDP port to 3390 as a “security measure” (and still get hacked.)

“With three guesses at a time followed by a five-minute lockout, a crook can only try out 12 × 3 = 36 passwords an hour, which makes a brute force attack impractical.”

We discovered exactly this attack against our network — slow-motion brute force attacks against RDP on non-standard ports — from multiple IP addresses, timed to avoid our account lockout policy. I suspect that by the time we discovered the attacks they had been ongoing for over a year.

We have greatly tightened up remote access, but I still worry about why a crook would think it is worthwhile doing brute force attacks at a rate of 1 attempt every 2 minutes — especially since I’ve detected slow motion dictionary attacks like this against both my IMAP and SMTP servers, too.

The idea that a slow motion attack is impractical includes the assumption that an attacker is working alone sitting at his or her computer choosing targets to attack. Based on a presentation I heard at an ISMG conference, I believe that the threat landscape has changed dramatically, and now includes an underground ecosystem with pooled resources that shares data and uses “big data” analytics to combine seemingly disjointed information in order to develop new attacks.

In this new threat ecosystem, slow motion attacks can be used to verify that a connection is still available, in case a valid username and password is obtained through other means — a compromised user’s home computer or webmail access from an insecure network or computer, for example — with the added benefit that the correct combination may be guessed through brute force means.

A slow motion attack could, presumably, be very broad. The resources required to attack a single RDP login many times a second could just as easily be spent trying to access a large number of different RDP endpoints at a slower rate. Since the distribution of likely passwords isn’t random, it’s heavily stacked in favour of the most commonly used ones like “password” or “123456”, it may even be more effective than trying lots and lots of guesses on a single target.

Well, R is, after all, short for Remote. For most small companies, remote means “somewhere else, perhaps on another state” (what a big company would call “off-site”) rather than “downstairs in the server room which I couldn’t be bothered to visit right now”.